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or Peter Cudlip, Partner, (peter.cudlip@mazars.co.uk). 


Disclaimer 


This report (“Report”) was prepared by Mazars LLP at the request of the Information Commissioner’s Office (ICO) and terms for the 
preparation and scope of the Report have been agreed with them. The matters raised in this Report are only those which came to 
our attention during our internal audit work. Whilst every care has been taken to ensure that the information provided in this Report 
is as accurate as possible, Internal Audit have only been able to base findings on the information and documentation provided and 
consequently no complete guarantee can be given that this Report is necessarily a comprehensive statement of all the weaknesses 
that exist, or of all the improvements that may be required. 


The Report was prepared solely for the use and benefit of the Information Commissioner's Office and to the fullest extent permitted 
by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who purports to use or rely for any reason 
whatsoever on the Report, its contents, conclusions, any extract, reinterpretation, anendment and/or modification. Accordingly, any 
reliance placed on the Report, its contents, conclusions, any extract, reinterpretation, amendment and/or modification by any third 
party is entirely at their own risk. Please refer to the Statement of Responsibility in Appendix A2 of this report for further information 
about responsibilities, limitations and confidentiality. 
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01 Summary 


The purpose of this report is to provide an update to the Audit Committee on the progress of the Internal Audit Strategy for the year ending 31 March 2021. In 
Section 02, we have provided a summary of our work to date with further detail in Appendix A1, including the status and timing of each audit. We would like to 
discuss our approach to the audit of business continuity during the Audit Committee. Appendix A2 provides information on the upcoming review of business 
continuity. Appendix A3 includes a summary of support information for the COVID-19 crisis. 


02 Current Progress in 2020/21 


We are on track with completion of our reviews, having completed four out of eight reviews included in the internal audit plan. Since the last meeting of the 
Audit Committee on 20 April 2020, the following progress has been made against the plan. The completed reviews have been provided at the Committee. 


Work Completed 


Fees and income 
Business planning 

HR core controls 
Stakeholder management 


Other Matters 


= Business continuity and disaster recovery review; Our internal audit plan for 2020/21 included a review of business continuity and disaster recovery (BC 
& DR). We have discussed our approach to this review with management and have two options for the review — these are included in Appendix A2. We 
seek the Audit Committee’s view on which option we should undertake as part of the 2020/21 internal audit plan. 

= The COVID-19 crisis has had a significant impact on all types of organisations and businesses. At Appendix A2 we have provided a useful web link to 
a webinar and information that may be useful. 
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A1 Plan Overview 


Target 


Auditable Area 


Review Start 


Actual 


Target Audit 
Committee 


Status 


Assurance 
Level 


Recommendations 


P1 


P2 


Fees and Income 


Date 
December 


6 July 2020 


: 


2020 November 2020 Final report Substantial - : 
Methodology of the Business June 2020 10 August 2020 
Planning Process November 2020 Final report Adequate - 5 
HR Core Control July 2020 3A t 2020 
j j a all November 2020 Final report Adequate - 2 
Stakeholder Management September 21 September A 
2020 2020 November 2020 Final report Limited 2 2 
Business Continuity and October 2020 25 January l 
Disaster Recovery 2021 mpmli202! 
High Priority Cases November 9 November 
2020 2020 January 2021 Planning 
Information Governance 2 December 
ee nee May 2020 January 2021 Planning 
2020 
Investigations and January 2021 | 8 February 2021 
nvestigations an nuary ebruary April 2021 
Enforcement 
Follow Up January 2021 January 2021 April 2021 Fieldwork 
Management and Control Throughout N/A N/A N/A 
9 
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A2 Providing assurance on ICO’s crisis response capabilities 


As the Covid-19 crisis continues, and we enter a second lockdown, it is a critical time for ICO evaluate their response to the crisis. Our internal audit plan for 
2020/21 included a review of business continuity and disaster recovery (BC & DR). We have discussed our approach to this review with management and 
have two options for the review: 


e An internal audit of BC & DR to assess the ICO’s response to Covid-19 and current measures in place; or 


e An advisory review, led by our Consulting Team, to understand the lessons learnt from the ICO’s approach and use this bolster your crisis and 
continuity plans to enable you to respond more effectively to future critical incidents. We have provided more information on what this review would 
involve below. 


We seek the Audit Committee’s view on which option we should undertake as part of the 2020/21 internal audit plan. 
Advisory review of business continuity including lessons learnt 


The purpose of a business continuity plan is to ensure that your organisation can survive a critical incident. It facilitates an immediate response to crisis in 
order to shorten recover time and mitigate impact. We will work with you to develop/enhance your business continuity plan, providing stakeholders with the 
assurance that your organisation can prevent, adapt, respond to and recover from any future critical disruptions. 


Our approach 
Phase 1 — Reviewing your response to the crisis 


= Facilitated virtual workshop(s) with the senior leadership team and other key stakeholders. Using a defined framework, we will gain a deep 
understanding of you responded and identify what was done well and areas for improvement; 

Interviews with key stakeholders and members of staff; 

Circulation of online questionnaire/survey; 

Review of your business continuity plan; 

Review of meeting minutes and other relevant documentation; and 

The output from phase 1 is a report to document our findings and a list of key lessons learnt and recommendations. 


Phase 2 — Enhancing your business continuity plans 


= Using the output from phase 1 we will develop focussed and actionable plans to cover areas such as governance and oversight, employee health & 
safety, risk management, supply chain resilience, internal & external communications, business systems, IT & security management, third party 
management, change management, organisational culture and training to ensure that the organisation is prepared for the future; 

= Undertake scenario analysis and set impact tolerances from a stakeholder, business and financial stability perspective; and 

= Provide management with a crisis framework/tool to allow them to self-assess on an ongoing basis to promote a culture of preparedness. 
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A3 Covid-19 


Heads of Internal Audit 2.0 
In October 2020, we hosted a further live Webinar in the latest series of our Heads of Internal Audit Forum in response to the COVID-19 crisis. 


A recording of the Webinar, which is approximately 60 minutes, is available on our website Webinar Link 


The event was hosted by Mazars’ Partners and Directors across our Consulting and Risk Assurance Teams. Gavin Hayes, Head of Policy & External Affairs at 
the CIIA, also joined our panel as we discussed how you can adapt to these new trends and explore some of the challenges the industry expects to face over 
the coming year. 


The Webinar covered the following topics: 
= How does Internal Audit remain relevant and agile? 
= Responding to increased expectations from stakeholders as business strategies change 
= Applying the new private sector IA code — what can be learned from other sectors? 
= 2021 planning — insight into latest hot topics e.g. digitalisation, new technology, ESG, cyber security and crisis management 
= Q&A 
Risk and Management Planning 


As the COVID-19 crisis continues, it's clear that challenges facing businesses are going to last longer and have a greater impact than first anticipated. 
Businesses will have to manage every aspect of their operations over several months, even years, in a way they have never needed to before. 


Understanding the broader context of the pandemic on demand and supply during the various phases will help ensure you are well-positioned to survive 
and resume operations as and when the situation returns to normal - albeit a new normal. 


There are four key phases to consider: 


1. Lead-in phase - During the lead-in phase, priorities for businesses focused on caring for staff, customers and other stakeholders from a public health 
perspective; and to assess the short-term cashflow implications of the sudden drop in demand. 


2. Acute phase - During this phase, you will need to streamline and review staffing levels, production and development, while ensuring your business 
remains agile, allowing you to slowly build through the suppression phase and into the recovery phase. 


3. Suppression phase - Businesses in this phase will have limited reserves which need to last as long as possible to ensure survival until the recovery 
kicks in. 
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4. Recovery phase - The longer-term impact of the crisis could last two to three years as the global economy recovers. 


As we know, the recovery phase is going to take a lot longer than initially expected, so businesses need to be agile and flexible to gradually increase 
operations over six months to a year. 


To do so will require an unprecedented level of vigilance, planning and flexibility, with businesses developing comprehensive strategies to deal with a range of 
different scenarios — best case, likely case and worst case. 


Revisions will need to be made too, on potentially a monthly basis as more information becomes available and circumstances become clearer. 
BELOW ARE 5 KEY STEPS TO CONSIDER WHEN NAVIGATING YOUR WAY THROUGH THESE PHASES. 


1. 


A clear pre-crisis financial starting point. Conduct a fair and honest assessment of your pre-crisis financials in terms of revenue, cost base profile, 
profit, cash flow and balance sheets. 


Pandemic revenue impact assessment. Assess the likely duration of each pandemic phase and its associated revenue impact on your business, 
including metrics such as sales volume decline, supply problems and staffing availability. 


Scenario analysis will help to identify the range of forecasted reduction in revenue vs. current operating models, budgets and cost base. 


Clarify crisis management priorities. Set clear priorities for your business to help orient the response. Working on innovating the business model to 
better compete in the current environment and be prepared for the recovery phase may also be a necessary priority. 


Build an integrated 18-month crisis management plan. Identify a realistic suite of tactics and actions to deliver on priorities and develop new 
operational and financial plans to support delivery. 


These plans should be built around the most likely scenario, yet also identify additional contingency measures that may be needed in both the best 
and worst-case scenario. 


Execute plans and continuously monitor operational performance. Closely track your operational performance each month against your crisis 
management plan. Reviewing revenue, profit, working capital, funding and cash flow position will ensure that key actions identified are being executed 
— all the while maintaining relationships and communicating with key stakeholders. 


This step also requires ongoing reviews of the environment for key changes to make sure the planning assumptions are still relevant. At all times, 
operational plans and cost bases should remain consistent with the changing needs of your business. 


Following these 5 key steps will help you to create a crisis management framework and KPIs that will enable ongoing performance review and implementation 
of the necessary tactics to deal with the specific challenges of each stage of the crisis, from now until the new normal returns. 
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A4 Statement of Responsibility 


We take responsibility to The Information Commissioner's Office for this report, which is prepared on the basis of the limitations set out below. 


The responsibility for designing and maintaining a sound system of internal control and the prevention and detection of fraud and other irregularities rests with 
management, with internal audit providing a service to management to enable them to achieve this objective. Specifically, we assess the adequacy and 


effectiveness of the system of internal control arrangements implemented by management and perform sample testing on those controls in the period under 
review with a view to providing an opinion on the extent to which risks in this area are managed. 


We plan our work in order to ensure that we have a reasonable expectation of detecting significant control weaknesses. However, our procedures alone should 
not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify any circumstances of fraud or irregularity. Even sound 
systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. 

The matters raised in this report are only those which came to our attention during the course of our work and are not necessarily a comprehensive statement 
of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact 
before they are implemented. The performance of our work is not and should not be taken as a substitute for management's responsibilities for the application 
of sound management practices. 


This report is confidential and must not be disclosed to any third party or reproduced in whole or in part without our prior written consent. To the fullest extent 
permitted by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who purports to use or rely for any reason whatsoever on the 
Report, its contents, conclusions, any extract, reinterpretation amendment and/or modification by any third party is entirely at their own risk. 


Registered office: Tower Bridge House, St Katharine’s Way, London E1W 1DD, United Kingdom. Registered in England and Wales No 00308299. 
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